Microsoft says China-based hackers exploiting critical SharePoint vulnerabilities to deploy Warlock ransomware — three China-affiliated threat actors seen taking advantage

Microsoft logo
(Image credit: Getty / Bloomberg)

Microsoft said that a hacking group it's tracking as Storm-2603 is exploiting critical vulnerabilities in the company's SharePoint platform to deploy ransomware.

SharePoint is "a secure, enterprise-grade content management and collaboration platform," according to Microsoft's website, which also describes it as a way to "securely collaborate, sync, and share content." (Essentially: organizations use it to build sites accessed via their intranets.) But those assurances of its security have been undermined by reports of multiple groups exploiting numerous vulnerabilities in the platform.

"The group that Microsoft tracks as Storm-2603 is assessed with moderate confidence to be a China-based threat actor," the company said. "Microsoft has not identified links between Storm-2603 and other known Chinese threat actors. Microsoft tracks this threat actor in association with attempts to steal MachineKeys using the on-premises SharePoint vulnerabilities. Although Microsoft has observed this threat actor deploying Warlock and Lockbit ransomware in the past, Microsoft is currently unable to confidently assess the threat actor’s objectives. Starting on July 18, 2025, Microsoft has observed Storm-2603 deploying ransomware using these vulnerabilities."

So what should organizations that rely on SharePoint do to mitigate the risk of joining the list of Storm-2603's victims? Unfortunately, there isn't a one-click solution—Microsoft said they should ensure they're using the latest version of the platform, which is typical for advisories like this, but its advice didn't end with installing a few updates. (Especially since bypasses to some of its fixes have already been found.)

Follow Tom's Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.